Author Topic: URGENT PLEASE HELP *UID Tracking* 6 blocks for UID 89 (postfix)  (Read 1187 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
URGENT PLEASE HELP *UID Tracking* 6 blocks for UID 89 (postfix)
« on: November 23, 2023, 01:37:31 PM »
My server is under attack, I have tried many ways to block other attempts but I don't know how to block this *UID Tracking* 6 blocks for UID 89 (postfix) the fld.log didn't have much details. But in the email alert i found the attempt to postfix are from some IP range below is the details if some one can help how to block this will be helpfull,  As incoming and outgoing emails are totally stuck now.

Email Log message :
Code: [Select]
Sample of port hits:
Nov 23 19:02:38 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63421 DF PROTO=TCP SPT=55748 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89
Nov 23 19:02:41 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39843 DF PROTO=TCP SPT=55732 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89
Nov 23 19:02:45 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63424 DF PROTO=TCP SPT=55748 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89
Nov 23 19:02:49 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39844 DF PROTO=TCP SPT=55732 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89
Nov 23 19:02:49 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1159 DF PROTO=TCP SPT=55734 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89
Nov 23 19:02:53 cbwh kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=173.249.41.250 DST=64.233.166.27 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63425 DF PROTO=TCP SPT=55748 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 UID=89 GID=89

1. on the same time of UID Tracking this log are also coming some time
Code: [Select]
Nov 23 18:15:17 cbwh lfd[21967]: (WPLOGIN) WP Login Attack 62.149.0.23 (UA/Ukraine/0-23.mcom2.cc.colocall.com): 10 in the last 3600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
2
Code: [Select]
Nov 23 18:00:14 cbwh lfd[19670]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:00:29 cbwh lfd[19704]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:00:39 cbwh lfd[19722]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:00:54 cbwh lfd[19764]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:01:09 cbwh lfd[19819]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:02:04 cbwh lfd[20005]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:02:34 cbwh lfd[20116]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:03:09 cbwh lfd[20216]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:04:45 cbwh lfd[20401]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:05:30 cbwh lfd[20574]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:07:30 cbwh lfd[20812]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:08:05 cbwh lfd[20879]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:08:35 cbwh lfd[20931]: *UID Tracking* 6 blocks for UID 89 (postfix)
Nov 23 18:09:31 cbwh lfd[21030]: *UID Tracking* 6 blocks for UID 89 (postfix)

Offline
*****
Re: URGENT PLEASE HELP *UID Tracking* 6 blocks for UID 89 (postfix)
« Reply #1 on: November 24, 2023, 02:22:39 AM »
It points to the Login Failure Daemon (LFD) using a custom trigger. Did you put something in place that is accidentally blocking postfix? This seems to be atypical behavior, something I haven't experienced myself...

Offline
*
Re: URGENT PLEASE HELP *UID Tracking* 6 blocks for UID 89 (postfix)
« Reply #2 on: November 24, 2023, 06:16:12 PM »
In my firewall the settings are this, I don't remember What i have done wrong, my server was under Ddos attack so I changed many setting to lower the attempts. So if you have any idea what is this how to block it. Also need to know my Mail Queue is getting full as most of the mails are showing Connection timed out. So please help..

TCP_IN = 20,21,25,53,80,110,143,443,465,587,993,995,2031,2083,2087,2096,2304

TCP_OUT = 20,21,110,143,80,82,113,443,2030,2031,2082,2083,2086,2087,2095,2096,587,993,995,2080,2443,9999,2703,8000,3306

It points to the Login Failure Daemon (LFD) using a custom trigger. Did you put something in place that is accidentally blocking postfix? This seems to be atypical behavior, something I haven't experienced myself...

Offline
*****
Re: URGENT PLEASE HELP *UID Tracking* 6 blocks for UID 89 (postfix)
« Reply #3 on: November 25, 2023, 02:09:46 AM »
It won't be in the CSF port section (except it doesn't look as though you are allowing port 25 connections out) -- it looks to be more related to LFD, specifically look for "CUSTOMTRIGGER" You shouldn't be blocking postfix or you will interfere with mail delivery.
But of course, more info is helpful.